Microsoft-Windows-CertificationAuthority – Contains operational and installation events related to the CA. Object access auditing is not required for these events to be written to the Application log.

Microsoft-Windows-Security-Auditing – Contains numerous events related to the security and configuration of the CA. Object access auditing must be configured for Certification Services and an appropriate CA audit filter must be configured.

Event IDs:

Certificate Services loaded a template (Event ID 4898) – This event is triggered whenever a CA loads a template for the first time. For example, if a CA is configured with three templates, at startup this event will trigger for each template as it loads. If a fourth template is added while the CA is running, an event will be triggered on the first attempt to enroll the template on the CA.

A Certificate Services template was updated (Event ID 4899) – This event is triggered when a template loaded by the CA has an attribute updated and an enrollment is attempted for the template. For example, if an additional EKU is added to a template, this event would trigger and provide enough information to determine the change being made.

Certificate Services template security was updated (Event ID 4900) – This event is triggered when security permissions on a Certificate Template loaded on a CA are changed, and an enrollment event for the template occurs.